Closed Bug 1531861 Opened 7 years ago Closed 7 years ago

Sectigo SSL Cert is not trusted

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
65 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: dustin, Unassigned)

Details

Attachments

(2 files)

Sectigo Limited certificate for bridgewinners.com
2.13 KB, application/x-x509-ca-cert
Details
Certificate Viewer dialog for Sectigo certificate issued to bridgewinners
22.49 KB, image/png
Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0

Steps to reproduce:

Connect to https://geeksbot.app

Actual results:

Returns
This Connection is Untrusted
You have asked Firefox to connect securely to geeksbot.app but we can't confirm that your connection is secure.
...
Technical Details
geeksbot.app uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. Error Code:
SEC_ERROR_UNKNOWN_ISSUER

Expected results:

The web app loads fine on Firefox on the desktop, and using the Chrome app on mobile. The certificate is signed by Sectigo and should be trusted. I have included the certificates that are returned by the server which are trusted by Firefox on desktop. The chain is as follows:
USERTrust RSA Certification Authority
-- Sectigo RSA Domain Validation Secure Server CA
---- geeksbot.app

This could be an issue with Sectigo changing root certificates on January 14th of this year.

I can provide more information if needed.

Thanks

USERTrust CA
-----BEGIN CERTIFICATE-----
MIIF3jCCA8agAwIBAgIQAf1tMPyjylGoG7xkDjUDLTANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTAw
MjAxMDAwMDAwWhcNMzgwMTE4MjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0plcnNleSBDaXR5MR4wHAYDVQQKExVU
aGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNVBAMTJVVTRVJUcnVzdCBSU0EgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQCAEmUXNg7D2wiz0KxXDXbtzSfTTK1Qg2HiqiBNCS1kCdzOiZ/MPans9s/B
3PHTsdZ7NygRK0faOca8Ohm0X6a9fZ2jY0K2dvKpOyuR+OJv0OwWIJAJPuLodMkY
tJHUYmTbf6MG8YgYapAiPLz+E/CHFHv25B+O1ORRxhFnRghRy4YUVD+8M/5+bJz/
Fp0YvVGONaanZshyZ9shZrHUm3gDwFA66Mzw3LyeTP6vBZY1H1dat//O+T23LLb2
VN3I5xI6Ta5MirdcmrS3ID3KfyI0rn47aGYBROcBTkZTmzNg95S+UzeQc0PzMsNT
79uq/nROacdrjGCT3sTHDN/hMq7MkztReJVni+49Vv4M0GkPGw/zJSZrM233bkf6
c0Plfg6lZrEpfDKEY1WJxA3Bk1QwGROs0303p+tdOmw1XNtB1xLaqUkL39iAigmT
Yo61Zs8liM2EuLE/pDkP2QKe6xJMlXzzawWpXhaDzLhn4ugTncxbgtNMs+1b/97l
c6wjOy0AvzVVdAlJ2ElYGn+SNuZRkg7zJn0cTRe8yexDJtC/QV9AqURE9JnnV4ee
UB9XVKg+/XRjL7FQZQnmWEIuQxpMtPAlR1n6BB6T1CZGSlCBst6+eLf8ZxXhyVeE
Hg9j1uliutZfVS7qXMYoCAQlObgOK6nyTJccBz8NUvXt7y+CDwIDAQABo0IwQDAd
BgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/BAQDAgEGMA8G
A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEMBQADggIBAFzUfA3P9wF9QZllDHPF
Up/L+M+ZBn8b2kMVn54CVVeWFPFSPCeHlCjtHzoBN6J2/FNQwISbxmtOuowhT6KO
VWKR82kV2LyI48SqC/3vqOlLVSoGIG1VeCkZ7l8wXEskEVX/JJpuXior7gtNn3/3
ATiUFJVDBwn7YKnuHKsSjKCaXqeYalltiz8I+8jRRa8YFWSQEg9zKC7F4iRO/Fjs
8PRF/iKz6y+O0tlFYQXBl2+odnKPi4w2r78NBc5xjeambx9spnFixdjQg3IM8WcR
iQycE0xyNN+81XHfqnHd4blsjDwSXWXavVcStkNr/+XeTWYRUc+ZruwXtuhxkYze
Sf7dNXGiFSeUHM9h4ya7b6NnJSFd5t0dCy5oGzuCr+yDZ4XUmFF0sbmZgIn/f3gZ
XHlKYC6SQK5MNyosycdiyA5d9zZbyuAlJQG03RoHnHcAP9Dc1ew91Pq7P8yF1m9/
qS3fuQL39ZeatTXaw2ewh0qpKJ4jjv9cJ2vhsE/zB+4ALtRZh8tSQZXq9EfX7mRB
VXyNWQKV3WKdwrnuWih0hKWbt5DHDAff9Yk2dDLWKMGwsAvgnEzDHNb842m1R0aB
L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG
jjxDah2nGN59PRbxYvnKkKj9
-----END CERTIFICATE-----

Sectigo RSA CA
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTgx
MTAyMDAwMDAwWhcNMzAxMjMxMjM1OTU5WjCBjzELMAkGA1UEBhMCR0IxGzAZBgNV
BAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEYMBYGA1UE
ChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQDEy5TZWN0aWdvIFJTQSBEb21haW4g
VmFsaWRhdGlvbiBTZWN1cmUgU2VydmVyIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEA1nMz1tc8INAA0hdFuNY+B6I/x0HuMjDJsGz99J/LEpgPLT+N
TQEMgg8Xf2Iu6bhIefsWg06t1zIlk7cHv7lQP6lMw0Aq6Tn/2YHKHxYyQdqAJrkj
eocgHuP/IJo8lURvh3UGkEC0MpMWCRAIIz7S3YcPb11RFGoKacVPAXJpz9OTTG0E
oKMbgn6xmrntxZ7FN3ifmgg0+1YuWMQJDgZkW7w33PGfKGioVrCSo1yfu4iYCBsk
Haswha6vsC6eep3BwEIc4gLw6uBK0u+QDrTBQBbwb4VCSmT3pDCg/r8uoydajotY
uK3DGReEY+1vVv2Dy2A0xHS+5p3b4eTlygxfFQIDAQABo4IBbjCCAWowHwYDVR0j
BBgwFoAUU3m/WqorSs9UgOHYm8Cd8rIDZsswHQYDVR0OBBYEFI2MXsRUrYrhd+mb
+ZsF4bgBjWHhMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAbBgNVHSAEFDASMAYGBFUdIAAw
CAYGZ4EMAQIBMFAGA1UdHwRJMEcwRaBDoEGGP2h0dHA6Ly9jcmwudXNlcnRydXN0
LmNvbS9VU0VSVHJ1c3RSU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDB2Bggr
BgEFBQcBAQRqMGgwPwYIKwYBBQUHMAKGM2h0dHA6Ly9jcnQudXNlcnRydXN0LmNv
bS9VU0VSVHJ1c3RSU0FBZGRUcnVzdENBLmNydDAlBggrBgEFBQcwAYYZaHR0cDov
L29jc3AudXNlcnRydXN0LmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAMr9hvQ5Iw0/H
ukdN+Jx4GQHcEx2Ab/zDcLRSmjEzmldS+zGea6TvVKqJjUAXaPgREHzSyrHxVYbH
7rM2kYb2OVG/Rr8PoLq0935JxCo2F57kaDl6r5ROVm+yezu/Coa9zcV3HAO4OLGi
H19+24rcRki2aArPsrW04jTkZ6k4Zgle0rj8nSg6F0AnwnJOKf0hPHzPE/uWLMUx
RP0T7dWbqWlod3zu4f+k+TY4CFM5ooQ0nBnzvg6s1SQ36yOoeNDT5++SR2RiOSLv
xvcRviKFxmZEJCaOEDKNyJOuB56DPi/Z+fVGjmO+wea03KbNIaiGCpXZLoUmGv38
sbZXQm2V0TP2ORQGgkE49Y9Y3IBbpNV9lXj9p5v//cWoaasm56ekBYdbqbe4oyAL
l6lFhd2zi+WJN44pDfwGF/Y4QA5C5BIG+3vzxhFoYt/jmPQT2BVPi7Fp2RBgvGQq
6jG35LWjOhSbJuMLe/0CjraZwTiXWTb2qHSihrZe68Zk6s+go/lunrotEbaGmAhY
LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5
yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
-----END CERTIFICATE-----

geeksbot.app
-----BEGIN CERTIFICATE-----
MIIF8jCCBNqgAwIBAgIRAO8IhNfcj2dUEo6On2FJXeAwDQYJKoZIhvcNAQELBQAw
gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE
AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xOTAzMDEwMDAwMDBaFw0yMDAyMjkyMzU5NTlaMFAxITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEUMBIGA1UECxMLUG9zaXRpdmVTU0wxFTAT
BgNVBAMTDGdlZWtzYm90LmFwcDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAKhUWNjoO88dEkJu/C4It28gMdVqeEBOhc+XWeIY5GIGCyhvAJ2c1qQi99s5
xbLbUep9+Q7HTX36pknwHA5JnR/C1AY4tIt0TFU9lCivhGeF4LA20/YEDSOZ1j/A
oT7378XgtxnW+tMGBEinwlm8y6ivSPp29bMCUuBO4F39cbv9CUTc8a9vAM7PlSiv
ZYxikDfTDx4y1QcBua4Cd7hsjfOZZOJN3TN4w1ItNrTvClatALnfz7LmqCUrbLbI
vHaDGQhhyKCVEFWNZP45dXloVebqgivJwMir0v+sXHBjxE0lxEhFqvjOmv+1iyH2
oazLV/KmC/eJ+1/KeLye8wBGng8CAwEAAaOCAoUwggKBMB8GA1UdIwQYMBaAFI2M
XsRUrYrhd+mb+ZsF4bgBjWHhMB0GA1UdDgQWBBQWRHHIY+xzMU6rCdzO3bQN4sVW
zDAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEEAbIxAQICBzAlMCMGCCsG
AQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAIBgZngQwBAgEwgYQGCCsG
AQUFBwEBBHgwdjBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5zZWN0aWdvLmNvbS9T
ZWN0aWdvUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAjBggr
BgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20wKQYDVR0RBCIwIIIMZ2Vl
a3Nib3QuYXBwghB3d3cuZ2Vla3Nib3QuYXBwMIIBAwYKKwYBBAHWeQIEAgSB9ASB
8QDvAHUAu9nfvB+KcbWTlCOXqpJ7RzhXlQqrUugakJZkNo4e0YUAAAFpNpROFwAA
BAMARjBEAiAhO07cQWK4qk8LWz8SIS/diTHWqceyFy2pVSymqfEsxQIgdCryXv78
gygYNnQW7VFPZ4HiyzYlLxioIuozb3eOrZsAdgBep3P531bA57U2SH3QSeAyepGa
DIShEhKEGHWWgXFFWAAAAWk2lE5cAAAEAwBHMEUCIQC+a+RyDXCT6FXZeFHEhD6i
8CQxwUYy9ZYGCbdByfGd1QIgZMjG0T1lO+yBvqLSnMP4OawYNHrraTNKDvXCPvBb
weIwDQYJKoZIhvcNAQELBQADggEBACt8bZ8bEvXUoGFCbYGQs31/RzH0//L4b4lI
8cNUWviVFM6+JSQbulklbBs9Ufz0v5NHKVzRxhVGu/a8kOeFOy5/CTCJ1WcjExWz
BwYTh+2DzwSMKRA7/TGCqdJpYG9U9RkaE1Eahu/9Gca8wETlw1ca4v9G2EppiJuW
AfaFtiwPf4LTiS+1lgubmerIfLEwBuKNxwGsiKdeBKMM5SJMWD0rGPmTnMSBm/gx
V9BmGNIsx1nL+igLxg2wMtbpoWWS7qPBsBrzwbbfMCG3SWWSb79gRe6IjD1mTtwm
eWHs6NQNjjxEECYeIRLFSkKb1IBFsfOw81kn9uwvoAXy8R61zug=
-----END CERTIFICATE-----

Component: General → Security
Product: Firefox for Android → Core
Version: Firefox 65 → 65 Branch

This site has a broken intermediate/chain. The server admin would need to install the correct intermediate certs for this to be trusted. Your desktop Firefox has cached intermediate certs that allow the site to be validated. If you open Firefox in a new profile then you will get the same behavior as you saw in Firefox for Android.

Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID

Hi Kevin,

That is the problem. It is not a broken chain as you can see from the chain of certs that I included. Also what you said about opening the site in a new profile is not correct. I have opened the site on a fresh install of Firefox with no imported profiles on separate computers both Windows and Linux and the fresh install of Firefox is able to load the site just fine and says it is secure. This is only an issue with Firefox Mobile. Not sure if it is Android specific though because I don't have an iOS device to test it with.

Please remove the RESOLVED mark from this bug as it is not resolved.

Also, the fact that it works on Chrome on Android says it is not a problem with Android itself but that Firefox for Android does not want to have to check on the certs itself but rather completely denies access even though the entire chain is trusted. It should either check the Extra Download certs or allow the user to bypass the message and add the cert themselves.

Thanks

Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---

That site works for me on Firefox for Android - can you try again?

Flags: needinfo?(dustin)

Hi Dana,

Since posting this question I have gone in and appended the missing certificate. But this is still an issue that needs to be resolved in a general sense. If you would like I can remove that certificate so you can test it.

Thanks

Flags: needinfo?(dustin)

Ok - we're working on a mechanism that would address this (see bug 657228). But in the meantime I recommend you configure your servers to send the necessary intermediates.

Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago7 years ago
Resolution: --- → WORKSFORME

I'm seeing a similar issue for https://bridgewinners.com/ using Firefox 66.0b14 (64-bit) on Windows 7 and have been seeing the issue for three to four weeks but only on the Firefox Developer Edition. I suspect the problem started on Feb 12, 2019 which is the beginning period of validity for the Sectigo Limited certificate presented by the website. Firefox presents a warning and shows the error code: SEC_ERROR_UNKNOWN_ISSUER. I will attached the certificate in a followup.

Same answer: that server isn't sending the correct (or, indeed, any) intermediate certificates: https://www.ssllabs.com/ssltest/analyze.html?d=bridgewinners.com

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: